How to Secure the Internet of Things
July 10, 2015
The Internet of Things (IoT) is coming, say experts. The stars of cloud computing, big data and overall tech advancements have aligned to light a path toward the inter connectivity of everyday items. We are talking about a world where insurance is calculated based on exact distances driven and the failing of automotive parts is predicted a month in advance and to a 90% accuracy rate. IoT is the Amazon.com of 1995, with nothing but possibility ahead of it but as it advances, enterprises need to understand the potential risks and challenges in order to develop secure devices in the Age of IoT.
Inter connectivity of Devices is Already Here and Growing
Every product will be a smart product and connect to some other item or service. Just think about activity trackers, you know the Fitbit, Jawbone and the dozens of other products just like those. This wearable tech tracks your daily movement, heart rate, sleep patterns and so much more. But that’s not the end, you then connect it to an app such as MapMyWalk where you can log your specific workouts, the foods you ate and even add the specific shoes you wear so you know when they’ve met their lifespan and it’s time for a new pair. Inter connectivity is here, but it will continue to grow – what’s next is you will take your 24/7 activity/health report to your physician who then utilizes predictive analytics to know what health challenges you may face in 5 months or 5 years and what you need to do or be prescribed to change your course.
What could possibly be wrong with a future such as this?
IoT Security Risks
No matter how wonderful it sounds, technology always comes with vulnerabilities and someone out there willing to hack it. A 2014 report, already showed 70% of today’s common IoT devices Android-connected cars can easily be compromised by vulnerabilities in the smartphone’s embedded OS that rarely takes security into consideration when it is being built. This blind eye given to mobile security is the cause for reports of a 614% rise in mobile malware. Openings for attacks such as this one and more lead to a number of potential IoT security risks, a number that is growing each day.
Risk #1: Billions of Devices are Vulnerable
Not just billions but tens of billions of devices connect to the Internet today. Issues with and vulnerabilities in web, network and cloud security and so much more can bring down a single product which, in turn, affects all those connected to it. This risk is also a challenge for every organization in the world, because no team can monitor all these access points at once, something is bound to break at some point in time.
Risk #2: Potential Threats Can Pose Grave Consequences for the Enterprise
With increasing machine-to-machine communication, any disruption to connectivity can lead to operational failures for the enterprise. Additionally, DDoS attacks that take down entire feeds of information can lead to unhappy customers and loss of revenue. If you take the activity tracker example, a DDoS attack could prevent all tracker information from syncing with a user’s fitness app. This disruption prevents additional information from being calculated and to someone who utilizes the app frequently and makes purchasing decisions from it, major disruptions to connectivity between devices can cause increased dissatisfaction and even revenue loss.
IoT is not only about the inter connectivity of end-user devices and this movement is not solely about making the end-user’s day-to-day life easier. In fact, IoT has been leveraged extensively in the enterprise environment. The catastrophic consequences of a hack into the thermostat of a nuclear power plant or to the control panels of a power grid can lead to vast physical damages and pose a serious threat to an entire city, state or even nation of people.
Even the increased use of wearable tech as a part of this IoT movement can lend itself to disgruntled employees or competitors going into an organization and recording that company’s IP, R&D and much more. For these companies, physical destruction may not be a threat but there are grave economic impacts at stake.
Risk #3: Business Continuity Plans Not In Place
Another major risk of IoT will actually come as a result of other risks being first realized. In the event that an aspect of a series of interconnected devices is compromised, a secondary risk of enacting a business continuity plan will come into play. For every scenario in which a vulnerability can be exploited there needs to be a plan for maintaining business-as-usual. This is especially necessary for maintaining customer satisfaction and a steady revenue flow in the event that trouble occurs. Often times, organizations need to develop a process for ensuring high availability of services such as through increased bandwidth and managing traffic; failure to create this plan can lead to severe economic impact for an organization.
Challenges When Combatting IoT Risks
When attempting to plan solutions to IoT risks there are two main challenges managers and their teams will face.
Challenge #1: Identify ALL Potential Threat Access Point
With IoT, technology is weaved together across a variety of devices and networks. The potential entry points for a hacker can be vast and, as a result, leads to potential issues when developing a security plan if all access points are not taken into account. It is important, for the team to look deeply into how these devices work with one another and the environments they are in. For example, a device that communicates off a building’s open WiFi networks can be compromised through an access point that your team may not have control over but you still need to have a business continuity plan in place should this occur. Additionally, malware can be planted on devices before they even leave the factory, so the supply chains involved in the process need to be examined as well. With such inter connectivity, locating all potential threat openings will be a challenge that needs to be readdressed regularly.
Challenge #2: Develop a Well-versed Team to Identify Potential Intrusions
So while locating the potential access points is a feat in itself, having the right team in place to monitor for malicious actions also proves challenging. Security teams need to constantly look at every device or sensor that can connect to the Internet. They need to understand the security risks specific to their enterprise and what to look out for. In order to achieve this, extensive, regular and organizationally specific training is needed.